ࡱ> za%oOyy@( wwza9C_iyuU( wwzayuIӘq( r?'Nza`nxּfa( ~~za߿ߝXo( UUUUSP(   2http://www.linux-ipv6.org4http://www.linux-ipv6.org/z.http://www.openswan.org0http://www.openswan.org/Nuser@FQDN mailto:user@FQDNXwww.foo.com&http://www.foo.com/l www.freeswan.org0http://www.freeswan.org/t$www.strongswan.org4http://www.strongswan.org/ 2http://www.strongswan.org4http://www.strongswan.org/l www.freeswan.org0http://www.freeswan.org// 00DTimesrS 0ܖ0ttz 0DTahomaS 0ܖ0ttz 0" DArialMTS 0ܖ0ttz 00DCourierS 0ܖ0ttz 0 B .  @n?" dd@  @@`` ~\y    # 0 !"#$%&'()*+.,/2345"6789:?;@;<#=1>!)NOBACDEFGHPIJ*QRSTUVW[XYZ\]^_`abcde fghij sklmtnop2qru01KLM-v9w+x1yor$%oOyy@ir$9C_iyuUiir$yuIӘqir$`nxּfai;$r$߿ߝXoi 0AA`ȩ6@eG6 ʚ;2Nʚ;g4FdFdu 0ppp@ <4!d!d@k 0tz<4dddd@k 0tz <4dddd@l 0th___PPT2001D<4X0___PPT10 2___PPT9/ 0? %BPractical IPsec<+Ken Renard WareOnEarth Communications, Inc., !Tutorial OverviewmSecurity and Cryptography Background IPsec Overview IPsec Components IPsec Implementations Practical ExamplesSecurity OverviewhSecurity is tough The smallest of details can be very important Encryption is not easy to do correctly Security can be very complex Many interdependent systems See first bullet Mis-Information on Security (aka marketing) Snake oil, techno-bable, and confusing jargon You re only as good as your weakest linkZUZZ.Z,Z.Z)Z2. .)Security ConceptsxNetwork Threats Unauthorized release of information Unauthorized modification of information Unauthorized use of service&iiSecurity ServicesData Integrity (data in storage or transit) Integrity of data content Message ordering Data authenticity Data Confidentiality (data in storage or transit) Confidentiality of data content Traffic Analysis Access Control and Authorization Non-Repudiation,Z=Z2Z1Z1Z=11 Authentication vs. AuthorizationvAuthentication (authN) Not imaginary, false, or imitated; genuine, veritable, worthy of acceptance or belief  Is this person really who they claim to be Authorization (authZ) Approval or permission making a course of action valid; freedom or right granted to another  Is this person allowed to access this service ZZZZV*\- Cryptography Background%Purpose: to alter information into an unrecognizable format such that it can be recovered in a known way Only those who are authorized to see data know the way Can be used for data confidentiality, data authentication, and data integrity Mathematical or procedural algorithms for altering datai7i   9 Cryptographic OperationsEncryption: Convert plaintext to cipher text Decryption: Convert cipher text to plaintext Plain text should be unreadable to unauthorized parties. Confidentiality Keys may be used to  disturb or permute the output of algorithmshB $ ^AR Keys and Key ManagementJStrong cryptographic algorithms require the key to decrypt cipher text Encryption keys and decryption keys are related Keys are generally a long string of bits Not easily remembered by mere humans  String-to-Key algorithms (password-generated keys) Password-protected key storage Key Management Generation, distribution, storage, destruction, and maintenance of keys Key generation usually depends on good source of random numbers Secrecy of keys is extremely important -- but sometimes left to the user Vulnerable part of any cryptographic systemZyZZHZZ,ZyHS -,Using Encryption in Security|Confidentiality Only authorized parties have the key, therefore, the ability to decrypt Authentication If key distribution is limited to a known party, successful encryption infers data source authentication Integrity If key distribution is limited to a known party, the message could not have been decrypted, modified, and re-encrypted All of these require proper Key Management ZHZZiZ ZwZ+ZZHi w       Cryptographic HashesHash: Data signature, or  digest using a one-way function. Hash represents data, but cannot be used to recover it. Given a hash, it is nearly impossible to generate a similar message with the same hash There will be collisions, but they should not be predictable Variable length message, fixed length hash Practical examples: Unix  sum or  md5sum commandsN>,:l=,More on HasheslHashes for Authentication Calculate hash of message, then encrypt Receiver decrypts and verifies hash Successful decryption indicates authentication of hash Authentic hash in indicator of authentic message content  Cheaper to encrypt small hash versus larger message Example: PGP signatures Keyed Hash Include key in data being hashed Receiver hashes key in with data and verifies Only those who possess the key can generate keyed hashesvZ(ZZ ZZ(   Breaking CryptographyPoorly designed algorithms may be subject to many attacks Known-Plaintext Attacks: having some knowledge of what the plaintext may look like Brute-Force Attacks: attempt to search entire key space using cipher text and decryption algorithm Try every possible key until decrypted text makes sense On average, search one half of the key space Key space versus key length Attacks on Key Management Human factor usually the easiest to break Poor design or implementation of security systemvZeZZZ[Ze  [ Brute Force AttacksjA good implementation of a good algorithm with good key management is still vulnerable Encryption and decryption require CPU time Trying every possible key takes a long time, but is possible Balance cost/probability of compromise versus time Key length is generally proportional to strength of encryption Given any algorithm, cipher text, and infinite time or infinite computing power, it can be broken Key size requirements depend on the algorithm 56-bit DES can be broken in less that 5 hours http://www.computeruser.com/newstoday/99/01/25/news7.html 168-bit 3DES and 128- or 256-bit AES are deemed appropriate today"Z=Z3ZZ.Z.Z:ZBZ@=3..  :  <      ,  W Some Details on Cryptography Stream ciphers versus Block ciphers Stream ciphers operate on one bit at a time Block ciphers operate on larger chunks of data at a time May need to pad data to block size of algorithm  Modes of encryption algorithms ECB: Electronic code book CBC: Cipher block chaining Counter Mode: encrypt a sequence of numbers and XOR output with plaintext (pseudo-stream cipher)$e0! e0!  uCipher Block Chaining vCipher Block Chaining wCounter Mode Cipher x Cipher ModesIf you find this stuff interesting You are a true geek Check out:  Practical Cryptography -- Niels Ferguson and Bruce SchneierF#>#"$^  Symmetric Key CryptographySame key is used for both encryption and decryption Sender and receiver share a key Must secretly negotiate key before communications Out-of-band method (e.g. trusted third party) Secure communications depends on secrecy of shared key If adversary can intercept, guess, or steal key, then the communication is no longer secret Unfortunately, humans* are usually part of key management * = inherently imperfect Popular algorithms 3DES, AES, Blowfish, IDEA, RC4, etc.TZ`Z7ZZZZ%ZT`7      % Public Key Cryptography9Different keys are used for encryption and decryption Two mathematically-related keys are generated Public Key: publicized, anyone can look it up Private Key: kept private. Known only to owner First rule of understanding public key encryption What is encrypted with one key is decrypted with other Encrypt with Public Key Everyone can know your public key -- anyone can encrypt Only you know your private key -- only you can decrypt Encrypt with Private Key Only you know your private key -- only you can encrypt Everyone can know your public key -- anyone can decrypt@dZ^Z2Z7ZZoZZoZd^27  %/      "2 Public Key: EncryptionEncrypt with Public Key, decrypted with Private Key Everyone can know your public key -- anyone can encrypt Only you know your private key -- only you can decrypt Anyone can encrypt a message that only you can decrypt Must have knowledge of your public key  Correctness of your public key is important Privacy of private key is important Example application: sending private e-mail4o7UR   o7URPublic Key: SignatureslEncrypted with Private Key, decrypted with Public Key Only you know your private key -- only you can encrypt Everyone can know your public key -- anyone can decrypt Analogous to handwritten signature (actually, it s better!) Anyone can decrypt a message that only you can encrypt Must have knowledge of your public key  Correctness of public key is important Privacy of private key is important Example Application: Authenticated e-mail6osPO  o#8PO#Public Key Cryptography In PracticePopular Algorithms: RSA, Diffie-Hellman Public key encryption/decryption is computationally expensive Limit use of public key operations to symmetric key exchange Use PK ops to sign and encrypt key exchanges Public Key Encrypt operation Generate random symmetric session keyTfZjZZ&Zfj&#Public Key Cryptography In Practice -'Diffie-Hellman Key AgreementAnonymous key exchange algorithm Public parameters p and g p is large prime number Each party generates random private value: a and b Each party generates public value (ga mod p), (gb mod p) Exchange public values over unsecured link Calculate key = gab mod p (ga mod p)b mod p = (gb mod p)a mod p = gab mod p This is susceptible to a man-in-the-middle attack Authentication must be tightly coupled;ZZUZCZZ2Z2Z'Z3+#  +      2  ' Public Key Infrastructures (PKI)Security of public key encryption depends on: Correct distribution and maintenance of public keys Privacy of private keys Must authenticate and verify integrity of others public keys Keys can be exchanged out of band Key management the same as symmetric key Trust some authority to introduce new keys Manual key management only necessary with authorities.ZLZ`Z)Z+Z6Z.L`)+6  Public Key Certificates A Certificate binds a public key to an identity Analogous to driver s license Binds picture to an identity Hologram to verify authenticity of document Trust authority (issuing state agency) to vouch for binding Certificate includes Public Key data Subject Identity Issuer Identity Validity period Signature Issuer  signs certificate data We can verify that Issuer created this certificate0ZZZZKZ Z3Z #  K   3Certificate Authority (CA)Defines policies for verifying identity of  subscribers Anyone with $50 Provide physical proof of identity (e.g. driver s license) Subscriber provides public key data and proof of identity Certificate Authority generates signed certificate Services select which CAs they will trust Public CAs are available RSA, Thawte, Verisign, etc.\9ZKZZZ9KX.509 CertificatesnX.509 is a standard format for certificate information Uses ASN.1 encoding Data in certificate Distinguished Name (DN) in X.500 formatting C=US/O=Army/OU=ARL/CN=Joe Researcher Certificate Serial Number Issuer Valid From / Valid Until timestamps (typical lifetime is 2 or 3 years) Public Key information Signature Extension information Current version of X.509 is v3_Z,Z%ZZZ_,%F"8  Certificate RevocationIf private key is compromised, it can be used to steal identity or decrypt private information Certificate may be revoked by CA indicating that the binding is no longer valid Only necessary during certificate lifetime CA periodically issues CRL Certificate Revocation List Lists certificate by serial number CRLs have expiration time and time of next issue Applications must check CRL for each certificate Client and server side!Z+ZZpZ1ZZr6+p1       Using CertificatesNEncrypt a message to a recipient Obtain certificate of recipient(s) Verify authenticity of certificate (check signature chain) Check CRL Encrypt with public key Verifying Signature Obtain certificate of signer Verify authenticity of certificate (check signature chain) Check CRL Perform hash of message and compare to signed hash sentT!!!Obtaining CertificatesSome protocols send certificates in setup messages Certificates can be looked up in directory LDAP X.500 DNS Must have prior knowledge of some certificates Root CA certificates Self-signed certificates\^ZZ/Z.Z^/."Certification Hierarchy #Certification HierarchynCertificate  chain List of certificates from you up to common trusted CA Must have authentic copy of trusted root CA certificates If you have bogus trusted root CA certificate, someone can impersonate any identity If a CA is compromised Private key of CA is known to attacker That CA must no longer be trusted Z6Z9ZTZZJZ69G J  $PKI and Key ManagementWe can establish authenticated and encrypted communication with anyone Who has a valid certificate from a trusted CA Without previous secure key exchange with individual Secrecy of private keys is essential Storing private keys on smartcards is a good idea CAC stores certificates and private key Private key operations done on the card Private key never leaves the card Secure, authentic copy of CA certificates important Revocation checking is a must! CRLs or OCSPGZ.Z5Z%Z2ZrZSZ ZG.5%  2rS %& IPsec OverviewSecurity services at the IP [Network (3)] layer  Hour glass model Lower layers are technology-dependant Upper layers are application-dependant  Middle-layer security Can be provided by  the network (router-router) Can be implemented in either hardware or software IPv4 and IPv6 Native Support for IPsec is mandatory for IPv6 Optional, but generally available for IPv4CZMZZ1Z@ZZZCM1@     5  +A'!IPsec OverviewIPsec components Protection of IP packets  on the wire Provide protection based on security policy Automated Key Management IPsec works by applying, enforcing, and managing Security Associations (SAs) Define protection applied to packets Enforce security policy according to  processing model Maintained by key managementlMzlM 1 ("IPsec Security ServicesAuthentication Data source authentication Integrity Message content and ordering Confidentiality Encryption of packet data Replay Detection Limited traffic flow confidentiality Access Control (i.e. packet filtering)ZZ ZZZZ]Z ])#IPsec DependenciesTrusted identities PKI or some authentication and key mgmt infrastructure Correct Implementation Questionable (vendor priorities, complexity, demand) Protocol changes are on-going Secure Platforms Correct Usage Are we doing more harm than good?Z7ZZSZZZZ"Z7S  "*$IPsec Is NOT& $ A silver-bullet for security It is merely an additional tool available Should never be the sole security mechanism User-level security Identities are network endpoints, not users Application level security Does not replace SSL or Kerberos Application security is still necessary Applications may be unaware of IPsec services Viruses can be spread securely now! See draft-bellovin-useipsec-03.txtZVZZ,ZZ!Z(ZRZ#ZV,!  (  R,& IPsec  Problems Implementations are still complex Configuration can be vastly different across platforms Some implementations lacking features Selector granularity PKI integration IPsec can render network security devices useless Firewalls may not see port numbers NIDS may not see packet data Key Management and Identity Management Public Perception:  Just IPsec it "Z]Z%Z2Z@ZJZ"]%2  @  :      t#IPsec and Network Security Services+%IPsec and IPv6Native support for IPsec is required for IPv6 That s where  IPv6 is secure comes from Many vendors do not support IPsec for IPv6 yet Windows Longhorn and XP patch (2nd half 2005) Linux (USAGI only) Solaris 10 (beta, with bugs) HP (HP-UX and Tru64), and IBM AIX claim support Some parts of IPv6 cannot be protected by IPsec Cannot use IKE for auto-configuration No addresses.Z)Z/ZZ0Z&Z Z.  /0&   ^.( IPsec HistoryIdea of IPsec goes back (at least) to the early 1990s Three  revisions 1995: RFC 1825-1829 -- no key management 1998: RFC 2401-2412 -- IKE v1 key management Current -- IKE v2 key management RFC numbers to be assignedHw &%){o IPsec RFCs2401 Security Architecture for the Internet Protocol. S. Kent, R. Atkinson. 2402 IP Authentication Header. S. Kent, R. Atkinson. 2403 The Use of HMAC-MD5-96 within ESP and AH. C. Madson, R. Glenn. 2404 The Use of HMAC-SHA-1-96 within ESP and AH. C. Madson, R. Glenn. 2405 The ESP DES-CBC Cipher Algorithm With Explicit IV. C. Madson, N. Doraswamy. 2406 IP Encapsulating Security Payload (ESP). S. Kent, R. Atkinson. 2407 The Internet IP Security Domain of Interpretation for ISAKMP. D. Piper. 2408 Internet Security Association and Key Management Protocol (ISAKMP). D. Maughan, M. Schertler, M. Schneider, J. Turner. 2409 The Internet Key Exchange (IKE). D. Harkins, D. Carrel. 2410 The NULL Encryption Algorithm and Its Use With IPsec. R. Glenn, S. Kent. 2411 IP Security Document Roadmap. R. Thayer, N. Doraswamy, R. Glenn. 2412 The OAKLEY Key Determination Protocol. H. Orman. (Informational)"0Z2|p IPsec RFCsa1321 The MD5 Digest Algorithm (and 1810 Report on MD5 Performance) 1750 Randomness Recommendations for Security (revision in draft) 1828 IP Authentication using Keyed MD5 2094 Group Key Management Protocol (GKMP) (Experimental) 2104 HMAC: Keyed Hashing for Message Authentication (and RFC 2202, Test Cases) 2284 PPP Extensible Authentication Protocol (EAP) 2394 IP Payload Compression Protocol (IPComp) 2451 The ESP CBC-Mode Cipher Algorithms 2460 Internet Protocol, Version 6 (IPv6) Specification (and related RFCs) 3168 The Addition of Explicit Congestion Notification (ECN) to IP 3280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile 3456 Dynamic Host Configuration Protocol (DHCPv4) Configuration of IPsec Tunnel Mode 3513 Internet Protocol Version 6 (IPv6) Addressing Architecture 3526 More Modular Exponential (MODP) Diffie-Hellman Groups for Internet Key Exchange (IKE) 3554 On the Use of Stream Control Transmission Protocol (SCTP) with IPsec 3566 The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec 3602 The AES-CBC Cipher Algorithm and Its Use With IPsec 3664 The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol (IKE) 3686 Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP) 3715 IPsec-Network Address Translation (NAT) Compatibility Requirements"b0P(a /)Tutorial OverviewmSecurity and Cryptography Background IPsec Overview IPsec Components IPsec Implementations Practical Examples&n4$*0*IPsec ComponentsAH - Authentication Header ESP - Encapsulating Security Payload SA - Security Associations SPD - IPsec Policy IKE - Key Managementd"1+IPsec Authentication HeaderCan provide Connectionless Integrity Data origin authentication Replay Detection Partial Sequence Integrity (anti-replay detection) AH after IP packet header, before IP payload IPPROTO_AH = 51 Integrity Check Value (ICV) covers Immutable fields of the IP packet header Entire AH (authentication data set to all zeros) All upper layer data  Improper encapsulation (layer violation) ZxZ-ZZ#ZoZ+Z x-#o2,AH Header Diagram3-Authentication Header Fields"Next Header: protocol of the header that follows the AH as defined in most recent  Assigned Numbers RFC Payload Length: length of AH in 32-bit words minus 2 IPv6 extension header standard is  minus 1 64-bit word Security Parameters Index (SPI) Used to uniquely identify Security Association (SA) Sequence Number Set to zero at initialization of SA Sender monotonically increases value per packet (must not cycle) Receiver may disregard SN Authentication Data -- variable length (multiple of 32-bits) Interpretation based on SAZ8Z Z4ZZZ=ZZ8 4'    4.(IPsec ESP Encapsulating Security PayloadpCan provide Connectionless Integrity* Data Origin authentication* Replay Detection* Partial Sequence Integrity (anti-replay detection)* Confidentiality Partial traffic flow confidentiality ESP after IP packet header, before IP payload IPPROTO_ESP = 50 Authentication and encryption covers Entire ESP header (authentication data set to all zeros) All upper layer data ZZ.ZZ%ZNZ .%N  5/ESP Header Diagram 6071ESP Header Fields (cont)Pad length Length in bytes Next Header: protocol of the header encapsulated by the ESP as defined in most recent  Assigned Numbers RFC Note that this field is encrypted Authentication Data -- variable length (multiple of 32-bits) Interpretation based on SA  ZZnZ"Z=ZZ n"'82Transport and Tunnel ModesAH and ESP have 2 modes of operation Transport Mode AH and/or ESP is placed between IP header and next higher level header IP-TCP -> IP-AH-TCP IP-TCP -> IP-ESP-TCP AH in transport mode authenticates parts of preceding IP header and all of IP payload ESP in transport mode protects only IP payload Can only be used host-to-host Term  transport does not restrict application to just TCP/UDPj4ZGZ-ZZ4G-?95Transport and Tunnel Modes>Tunnel Mode Creates new IP header (IP ) Encapsulates existing IP packet IP-UDP --> IP -AH-IP-UDP IP-UDP --> IP -ESP-IP-UDP AH in tunnel mode authenticates parts of IP and all of existing IP packet Existing IP packet is not changed in transit ESP in tunnel mode encrypts all of the existing packet May be used host-to-host, host-to-router, router-to-router Common way to implement VPNs BITW -- Bump-In-The-Wire" Z=Z7ZKZ-ZZZ  6K-C               <6Host-to-Host Modes =7Host-to-Gateway Tunnel Mode >8Gateway-to-Gateway Tunnel Mode:3Ordering of Packet Headers (AH) ?9;4Security Associations6A simplex  connection that specifies an IPsec security protocol AH or ESP, not both Typical bi-directional security requires (at least) 2 SAs Contains all the needed parameters Selectors, algorithms, keys, replay counters, expiration, modes Source applies security, destination verifies Can be established manually or negotiated by IKE Each node maintains a Security Association Database (SAD) Indexed by 3-tuple 32-bit Security Parameter Index (SPI) chosen by receiver IP Destination Address Security Protocol (AH or ESP) [not for long]AN#:~AN#:  oE> Security Association Information/Addresses Sequence Number Counter -- 32 bit Sequence Counter Overflow -- flag Anti-replay window AH authentication algorithm* ESP encryption algorithm* ESP authentication algorithm* Lifetime Time and/or byte count New SAs (with new SPI) replace expiring SAs Protocol mode (transport v. tunnel) Path MTUBZCZ-ZC-D=Security Policy Database (SPD)List of policy rules that determine actions to take for inbound and outbound traffic Separate list for each direction for each interface List is ordered Wildcards are allowed, ordering matters Selectors designate specific traffic Discard, bypass IPsec, or apply/verify IPsec Map traffic to a specific SA (or new one is created) Addresses, port numbers, protocols, sub-protocols Think stateless firewall rulesZ(Z%ZZZ(   $3  F?IKE for Key ManagementInternet Key Exchange Actually does entire SA negotiation Manual configuration of SAs become too difficult IKE is no picnic, either Allows for flexible policy and usage Multiple algorithms, authentication methods Integrates entity authentication with key exchange$1%,3$1%,3G@IKE Hierarchical Key ManagementqLong term keys Usually public/private key pairs Use certificates to bind public key to identity Certificates may belong to hosts, people, etc. Support for shared keys Typical lifetime months to a few years Short term keys Usually symmetric keys Unilaterally or cooperatively generated Could be based on authentication exchange Typical lifetime few minutes to a few days!_??*+!_??  *  +  HA IKE Version 1*Design based on Photuris, SKEME, ISAKMP, and Oakley Mutual authentication based on certificates or pre-shared secrets (pre-shared keys - PSK) SA setup and maintenance Features Identity hiding Forward secrecy Negotiated parameters Re-keying Support added for NAT traversal Legacy authentication DHCP\Z@ZZ)Z@)IBIKEv1ISAKMP -- Internet Security Association and Key Management Protocol Framework for authentication and key exchange Initiator and Responder (I and R) -- either side can initiate Send multiple  proposals Select common preferred proposal Two phases Phase 1 established ISAKMP SA Main Mode (6) and Aggressive Mode (3) Phase 2 uses ISAKMP SA to establish further SAs Quick Mode and New Group Mode Oakley Series of Key Exchanges called  modes Combined with SKEME key exchange techniqueDZ.ZyZ ZZ&Z0ZZZRZ 9.Y                0 RJC ISAKMP Phases>Phase 1 Creates bi-directional SA Negotiated Parameters Encryption algorithm Hash algorithm Authentication Method Signature, Public Key, PSK Information about Diffie-Hellman group Sets up secure channel to create further SAs Phase 2 Negotiates parameters for non-ISAKMP SA Protected by ISAKMP SA established in phase 1Z0Z:ZZ'Z-ZZVZ0:'  -VKD!Oakley Key Determination ProtocolUsed in both phases of IKE Provides keying material for encryption, hashing and authentication Perfect Forward Secrecy Compromise of long-term key will not expose previous short-term (session) keys Identity hiding Authentication is done after encryption has started Available in Main Mode, but not Aggressive Mode Efficient re-keying in Quick Mode SAs can be quickly re-keyed Oakley  Groups Specify DH parameters (p, g) or EC parameters Groups 1,2,5* are common DH (768-, 1024-, and 1536-bit mod p)wZOZZdZ"ZZZlZwOA  "  eMF IKE in ActionVIKE exchanges messages on UDP port 500 Traffic is encrypted where possible Cannot be protected by normal IPsec SAs When policy requires outbound packet to be protected Look for existing SA If none exists, contact IKE to negotiate SA SPD has policy data for required SA If ISAKMP SA does not exist, negotiate it Policy for ISAKMP SA generation'ZLZ5ZAZ$Z*Z Z'L5A$*   i OGPutting It All Together }qExtended Authentication for IKE{IKE requires mutual authentication using the same methods PSK: most are password-based and assumed weak RSA encryption, RSA signature: requires extensive PKI or key mgmt Need for legacy authentication XAUTH -- extended authentication Do normal phase 1 IKE authentication with PSK or RSA Additional authentication with external server (RADIUS, SecurID, etc) Aggressive mode to renegotiate without re-authenticating user Weak PSKs can render IKE authentication useless Widely deployed by VPN vendors (Cisco, NetScreen, etc.) draft-beaulieu-ike-xauth-02.txt (expired April 2002) Availability limited (OpenSWAN for Linux, most appliances):ZqZZZ:q=&XJM 3 ~rIPsec and NAT ProblemsAH authenticates  invariant fields of outer IP packet These fields are no longer invariant with NAT ESP in transport mode NAT may need to modify port numbers in TCP/UDP TCP/UDP packets may be encrypted (non-NULL cipher) ESP authentication would break if NAT changes ports (NULL cipher) ESP tunnel mode can still work IKE and NAT To and from UDP/500 Identities with PSKs are usually IP addresses7./u+B7./u   BnsIPsec and NAT SolutionsDon t use NAT Use IPv6 if address space is a concern NAT before IPsec is applied IPsec + NAT in a box ESP encapsulated in UDP Allows for tunnel and transport ESP No NAT support for AH -- use ESP authentication draft-ietf-ipsec-nat-t-ike IKE and NAT  Float IKE ports and mux/demux by leaving initiator cookie zero Static NAT for IKE ports -- keep-alive packets necessary Use certificates to get around IP identity problem Supported by quite a few implementationsZ'ZZZZTZ'ZZ'T    @ !A:Future Changes to AH and ESPiLarger sequence numbers 64-bit sequence numbers Set to zero at SA establishment Higher order 32-bits Stored internally by sender and receiver (never transmitted) Used in ICV calculation SA Naming Currently identified by SPI, dest address and protocol (AH or ESP) Just SPI and dest address are sufficient Better multicast support Separate algorithm specificationZMZUZ ZlZ:ZMU  l  :  C<Future Changes to ESPTraffic Flow Protection Extended Padding More than 255 bytes  Dummy protocol Next Header (IPPROTO) = 59 Receiver will disregard packet Allow sending of  fake packets Next Header field is encryptedZ   E LE IKE RedesignIKE is a complex beast IKEv2 is being designed All retro-fits for IKEv1 (NAT, legacy authN) New algorithms More efficient exchanges (reduce # of msgs)&/h/hQHRIIPsec ImplementationsKernel Module Modifications to network stack PF_KEY interface Built-in or available as a kernel module Policy Tool For managing SPD Manage SA policies IKE daemon Negotiates Security Associations with remote machines Usually define identity and authentication hereZYZ Z$Z ZfZY $ f  SJWorking With IPsecSetting up IPsec can be best described as  experimental Especially across OSes IPsec-protect all traffic between 2 machines Use a third for control so you don t lose connection! Start with simple configurations and work your way up to policy PSK authentication, basic selectors Use tcpdump or ethereal to watch and verify traffic Ethereal has good decoders for ISAKMP Ping is a good test Make sure you re-initialize appropriate daemons /dev/random is a good source of PSK material dd if=/dev/random bs=1 count=24 | od -x9ZDZ6Z@Z$Z4Z&ZqZ(Z9D6@$          &  q'TKUL Linux IPsecEMain distributions only do IPv4 USAGI is primary IPv6 IPsec source http://www.linux-ipv6.org FreeS/WAN project replaced by OpenSWAN and strongSwan http://www.openswan.org http://www.strongswan.org IKE daemon is pluto KLIPS (Kernel Level IP Security) Loadable kernel module /usr/sbin/ipsec Front-end script for everything else Z#ZZ6Z2Z5ZZZ%Z #6  2  % 0C\ 0  0VM Linux IPsecdYou can do completely manual keying Static keys for SA encryption Please don t use& Turn off route filtering!!! echo 0 > /proc/sys/net/ipv4/conf/<iface_name>/rp_filter Due to routing of packets inside kernel Will get  martian source errors No longer supports single-DES Main files ipsec.conf ipsec.secrets$0)$08I   WNLinux ipsec.conf& (Almost all of ipsec configuration is done here Major exception is authentication secrets config setup section Specifies interfaces and file parsing attributes Connection sections Defines almost all parameters of a Security Association  left and  right identities Makes it easy to go from drawing to connection file Can copy configuration from one host to other without swapping Determination of who is  left and who is  right is done internally Transport or Tunnel AH or ESP/Z*ZZ1ZZVZZZ/*  1V      XO:Linux ipsec.conf  connection ( (YPLinux ipsec.conf connections( ( ~type tunnel, transport, passthrough, drop, reject Reject is drop with ICMP message This allows more complete policy definition (firewall-like) left IP address of left participant %defaultroute local address of default route interface Only one of left or right can be set this way %any address to be filled in during IKE negotiation %opportunistic both left and leftnexthop from IKE-]V.f  ]     *.0  [RLinux ipsec.conf connections( ( `leftsubnet  Private subnet behind left Specifies that left will provide IPsec services for this subnet Format network/netmask Defaults to left/32 (or left/128) auth Specifies whether authentication is done with AH or as part of ESP keylife and ikelifetime Security Association and ISAKMP SA key lifetime Seconds, minutes, hours, days (s, m, h, d) leftprotoport Protocol and port numbers (TCP=6, UDP=17) /usr/include/netinet/in.h ZZZCZZ\ZZEZ 4 C \    E\SLinux ipsec.conf connections( ( rauthby How endpoints with authenticate during IKE secret and rsasig (rsasig for RSA secret or certificate) leftid Identity to be used in IKE authentication IP address, @FQDN, X.500 name leftrsasigkey Allows RSA key to be used outside of PKI Can be looked up via DNS %cert along with leftcert to specify PEM-encoded file leftrsasigkey2 for 2nd key to be used for rollover2ZdZZHZZZ+(H B            %  ]TLinux ipsec.secrets file& (4Specifies secrets used to authenticate IKE daemons (file permissions!) Identities are addresses, FQDNs, user@FQDN, %any, or %any6 Keys are  PSK or  RSA `3. 0hqZQLinux ipsec command(( `ipsec auto --add <conn-name> ipsec auto --up <conn-name> ipsec auto --down <conn-name> ipsec auto --delete <conn-name> ipsec look Brief,  netstat -rn -style output ipsec barf Lots of status info (no kidding, LOTS!!!) ipsec pluto --debug-* --debug-all, --debug-crypt, --debug-control, etc ipsec klipsdebug" *1  1_ULinux IPsec DetailsHost-to-host tunneling is allowed protoport support is less than reliable No DES support Newer versions don t allow AH only Use ESP with null encryption (esp=null-md6-96) tcpdump on ethX devices can be a bit unreliable ipsecX interface should see un-protected traffic www.freeswan.org www.strongswan.org (has AES, OCSP, LDAP)|Z0ZZ|!e 0  00`V Solaris IPsecpIPsec support in Solaris 8, 9, and 10 Solaris 10 is first to have IPsec for IPv6 IPsec comes up before networking (can t use hostnames in config) IKE daemon is in.iked /etc/inet/ike/config is main config file /usr/sbin/ikeadm /usr/sbin/ipsecconf -- policy tool /etc/inet/ipsecinit.conf is standard startup config ipsecconf -a /etc/inet/ipsecinit.conf Default file has some good examples /usr/sbin/ipseckey Direct manipulation of SA database"&ZlZZ:Z#Z4ZJZZ#Z&l#4  &$"aWSolaris IKE Configuration/etc/inet/ike/config entry Global configuration parameters for Certificate root and LDAP servers Phase 1 lifetimes Specifies how IKE will authenticate and create SAs^Z$Z4Z3Z$43bXSolaris IKE Authentication: PSK,/etc/inet/secret/ike.preshared ID types: IP, IPv6 Preshared keys must be hexadecimal values (no strings) To use strings: echo  authN-string | od -x`ZKZ-ZKcYSolaris IKE Authentication: PKIFiles /etc/inet/secret/ike.privatekeys/* /etc/inet/ike/publickeys /etc/inet/ike/crls/  ikecert tool ikecert certlocal -- for dealing with private keys add, create, extract, list, remove private keys  add function requires  Solaris-only key format ikecert certdb -- for dealing with public-key repository add, extract, list, remove public keys from database (PEM or ASN.1 BER) ikecert certrldb -- for CRLs add, extract, list, remove CRLs ikecert tokens -- for PKCS#11 token interface New to Solaris 10<ZPZZ3ZcZ9ZHZZ Z.ZZP"c  +  H     eZSolaris ipsecconf Configuration2  (( SPD manipulation tool ipsecconf -a <file> Add policies in <file> ipsecconf -ln list policies (-n for no hostname lookup) Individual policies versus  file policy entries (also ordered) ipsecconf -f Flush all policies ipsecconf -d <index> Delete individual policyj j    f[Solaris ipsecconf Configuration*  (( Policy format: { pattern } action { properties } Listed in order of application Pattern is selector saddr/daddr
/ sport/dport ulp [proto] Action apply (outbound), permit (inbound), ipsec (both) bypass, pass, drop pass/bypass take precedence in ordering13JD("3J                (g\Solaris ipsecconf Configuration*  ((kProperties auth_algs -- Use AH HMAC-MD5, HMAC-SHA encr_algs -- Use ESP encryption DES-CBC, 3DES-CBC, BLOWFISH-CBC, AES-CBC encr_auth_algs -- Use ESP authentication HMAC-MD5, HMAC-SHA dir -- if not implied in | out | both sa -- Use existing SA or create new SA for this policy unique, shared Use ipsecalgs to show supported encryption and authentication algorithms8 ZZZ Z)Z)ZZZZ7ZZIZ  ))    7 <h]Solaris ipsecconf Configuration*  (( i^Solaris IPsec TunnelingAll IPsec associations are assumed transport unless specific tunnels are set up Set up tunnel pseudo-devices In /etc/hostname6.ip6.tun0ZPPj_Solaris IPsec DebuggingdIKE deamon can be run in foreground with debugging /usr/lib/inet/in.iked -d Also ikeadm can turn on debugging info ikeadm set debug all /tmp/foo cert, key, op, phase1, phase2, pfkey, policy, prop, door, config Kernel-level debugging ndd /dev/ipsecah \? also ndd /dev/ipsecesp \? Turn on logging for different AH/ESP facilities Output usually through syslog 3ZZ'Z_ZZZZNZ3@        N  k`Macintosh OS X IPsec (BSD)uOS 10 and later IKE daemon is racoon /etc/racoon/racoon.conf configuration file Policy tool is setkey For SPD and SADj%++laMac OS X racoon.conf& (pGeneral IKE config  Includes /etc/racoon/remote/*.conf Use these for configuration of specific endpoints  remote section Phase 1 configuration  sainfo section Phase 2 configuration%3%3 mbMac OS X racoon.conf* ( ncMac OS X IKE Authentication#Preshared Keys /etc/racoon/psk.conf&oeMac OS X setkey( (Direct SAD management dump to list all SAs -- setkey dump setkey add src dst protocol spi [extensions] algorithm... ; recommend using policy definitions instead SPD rulesZbZ+Z Z <+  qfMac OS X setkey  (xsetkey -f setkey -D -- dump SAD setkey -F -- flush all SAs in SAD setkey -FP -- flush all policies in SPD setkey -x -- dump all PF_KEY messages For debugging Algorithms authN: hmac-md5, hmac-sha1, keyed-md5, keyed-sha1, null, hmac-sha2-256, hmac-sha2-384, hmac-sha2-512 encr: des-cbc, 3des-cbc, simple, blowfish-cbc, cast128-cbc, des-deriv, 3des-deriv, rijndael-cbcMZ(Z&ZZ ZZM(&   `    \  rg Windows IPsecWindows 2000 SP2 and XP Create an IPsec and Certificates  MMC Start/Run/MMC Click on  File , then  Add/Remove Snap-in Click on  Add Click on  Certificates, then  Add Select  Computer Account and  Next Select  Local Computer and  Finish Select  IP Security Policy Management and  Add Select  Local Computer and  Finish Click  Close and  OK .?Z"Z?"ti Windows IPsecJAdd certificate Click the plus arrow by  Certificates (Local Computer) Right-click  Personal and click  All Tasks , then  Import Click  Next Browse and select .p12 file and click  Next Type the export password and click  Next Select  Automatically select the certificate store based on the type of certificate and click  next Click  Finish and say  yes to any prompts that pop up Exit the MMC and save as a file*uj Windows IPsecCreate new IPsec policy Default policies are just about worthless From MMC console Right-click on  IP Security Policies on Local Computer Select  Create IP Security Policy , then  Next Create name and/or description, then  Next Un-check  Activate the default response rule , then  Next Click  Finish to complete wizard and edit properties of new rule@;;vk Windows IPsec xl Windows IPsecMMC:  IP Security Policies on Local Computer You select one policy to be  assigned or in use  In the Office policy  On the Road policy This policy will have one or more  rules Each rule has IP Filter list -- Create and select filter (addrs, proto, ports) Filter Action -- Create and select action (ESP/AH algs) Authentication -- (Kerberos, certificate, PSK) Tunnel Setting -- (on/off and endpoint) Connection Type -- (not sure what this does) Each rule can authenticate to remote systems independently Different methods and keys  Rules are analogous to Linux  connections .Z1Z,Z*ZZZ;ZZ-Z.1,*    ;-ymWindows IPsec DetailsWindows 2000 3DES only available with  High Encryption Pack AES availability No plans for XP or Windows Server 2003 June 10, 2003 Oakley Groups 1 and 2 available Group 5 is part of new RFC, but already widely deployed Will not allow hex value as pre-shared secret Solaris will only do hex values echo "mysharedsecret" | od -x Z0ZZ'ZZ Z8Z.Z ZZ 0'   8. 333pdIPsec CertificateslPEM is most widely accepted format OpenSSL can convert most popular cert formats Ex: Public and private key PEM files into PKCS12 openssl pkcs12 -export -in host_cert.pem -inkey host_priv.pem \ -certfile cacert.pem -out host.p12 Can generate your own CA and issue certs OpenSSL shell script CA.sh CA.sh -newca # create new CA -- only once CA.sh -newreq # request a certificate CA.sh -sign # sign request Generates private key file (request) and certificate file Move private key files around securely!! Some IPsec implementations allow certificates and private keys to be stored on smartcards strongSwan, Solaris#Z_ZhZ)ZZnZ:ZZZ#_h )  n:,O  shRecommendationsfImplement IPsec with limitations in mind IPsec is not a silver bullet for security No user or application layer security Duplicate firewall or IDS services at VPN endpoints Secure only what is necessary (e.g. just NFS) Think about IKE identities (personal or host certificates) Keep up with patches and updates! Patches to IPsec modules themselves Regular OS patches Be aware of  unauthorized VPNs Attempts to bypass firewalls or IDS)Z*Z&ZZ"Z7Z Z$Z)*&"7    $  znAcknowledgements0Rene Esposito  BAH, IPv6 Forum Richard Graveman  RFG Security, IPv6 Forum Microsoft TechNet web site Sun web sites FreeSWAN web site www.freeswan.org20P(0P( 0   0` 33` Sf3f` 33g` f` www3PP` ZXdbmo` \ғq>9y`Ӣ` 3f3ff` 3f3FKf` hk]wwwfܹ` ff>>\`Y{ff` R>&- {p_/̴>?" dd@,|?" dd@   " @ ` n?" dd@   @@``PR    @ ` ` p>> /'(    6$v P v T Click to edit Master title style! !  0v  v RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  0tv `` v X*  0 v `  v e1kDRENard@wareonearth.com rhartman@wareonearth.com22  0Ȕv `  v Z*H  0޽h ? 33 $Blank Presentation 0 0(  l  C  p  l  C   `    H  0޽h ? 33  0  ( qm  l  C >P   l  C ?  H  0޽h ? 33  0 T( Hr33' Tl T C 8BP   l T C C`  H T 0޽h ? 33  0 (  l  C QP   l  C R  H  0޽h ? 33  0 ( 4d l  C XP   l  C X  H  0޽h ? 33  0 ( d  l  C TgP   l  C ,h  H  0޽h ? 33  0 $(  $l $ C `vP   l $ C 8w `  H $ 0޽h ? 33   0   ( (  (l ( C jP   l ( C T  8 |  ( @ @`   (  ( 68`  HEncryption Operation ( 6䉅@`  HDecryption Operation`B ( 0D  `B ( 0D@  `B ( 0D @ 4@    (  g@  \  ( \   ( <p! \  5KeyfB ( 6D  uN  \  ( 0   ( <ܑ \  5KeyfB ( 6D  o@ |   (|   ( <|   ; Plaintext  ( <   ; Plaintext  ( <  = Cipher text H ( 0޽h ? 33  0 0( | 0l 0 C 8P   l 0 C P  H 0 0޽h ? 33  0 d(  dl d C ܴP   l d C   H d 0޽h ? 33  0  ",  ( | ,l , C ȅP   l , C |ɅP `   8   ",@ @ 0  !,0  , ~ υA0Light downward diagonal"0  CHashing Algorithm , <tԅ"   6Data , zׅA,Light upward diagonal"   6HashzB , <D"P P zB , <D" P P T @ `0  ,#  ` zB , <DjJ"0 `0  , 0\܅"p@ r '  ;one way(2H , 0޽h ? 33  0  X(  $A$ Xl X C P   l X C  `  H X 0޽h ? 33  0 04(   4l 4 C P   l 4 C   H 4 0޽h ? 33  0 @8(  8l 8 C P   l 8 C P0  H 8 0޽h ? 33  0 P<( B <l < C hP   l < C @  H < 0޽h ? 33  0 E=`(8@(  l  C 'P     <)"J.  ? Block EncryptrB  <D"  Bt*"U CPlaintext Block 0rB  <D"  l2   6" R lB  @ 6D"6 c lB   6D" n rB   <D"    <3"   ? Block EncryptrB  <D"    B8" d  CPlaintext Block 1rB  <D"   l2  6" q lB @ 6D"3 X lB  6D" H rB  <D"     <5"   ? Block EncryptrB  <D"RR  BA"  CPlaintext Block 2rB  <D" aa l2  6"  lB @ 6D"9  lB  6D"! ! rB  <D" gg ^B # 6Dk  (  $ <G" 5 ^Ciphertext Block 0  % <8M"  ^Ciphertext Block 1  & <Q"  ^Ciphertext Block 2 ^B ' 6Dq  . 8 u 1x  * BW"uo 3keyzB + <D"F u 2    3 <["uo 3keytB 4 6D"F u 5  )  6 <_"uo 3keytB 7 6D"H  0޽h ? 33,  0 p**l(  r  S 8fP     6g"J.  ? Block EncryptlB  6D"  <l"U CPlaintext Block 0lB  6D"  f2  0" R fB @ 0D"6 c fB   0D" n lB   6D"     68r"   ? Block EncryptlB   6D"     <lw" d  CPlaintext Block 1lB  6D"   f2  0" q fB @ 0D"3 X fB  0D" H lB  6D"     6 }"   ? Block EncryptlB  6D"RR  <l"  CPlaintext Block 2lB  6D" aa f2  0"  fB @ 0D"9  fB  0D"! ! lB  6D" gg ^B  6Dk  (   <" 5 ^Ciphertext Block 0   <8"  ^Ciphertext Block 1   <8"  ^Ciphertext Block 2 ^B  6Dq  . ^B   6Dw ZQ4  ! <d"i   OInitialization Vector (IV)F u " x  # <"uo 3keytB $ 6D"F u %    & <"uo 3keytB ' 6D"F u (  )  ) <"uo 3keytB * 6D"H  0޽h ? 33]  0  -0(  r  S P     6쫶"J.  ? Block EncryptlB  6D"  <"A ASequence NumberlB  6D"  f2  0" R fB @ 0D"6 c fB   0D" n lB   6D"     6"   ? Block EncryptlB   6D"     <"T  ESequence Number + 1lB  6D"   f2  0" q fB @ 0D"3 X fB  0D" H lB  6D"     6"   ? Block EncryptlB  6D"RR  <dŶ"   ESequence Number + 2lB  6D" aa f2  0"  fB @ 0D"9  fB  0D"! ! lB  6D" gg ^B  6Df 0 k   <@ʶ" 5 ^Ciphertext Block 0   <϶"  ^Ciphertext Block 1   <Ӷ"  ^Ciphertext Block 2 F u " x  # <@ٶ"uo 3keytB $ 6D"F u %    & <dݶ"uo 3keytB ' 6D"F u (  )  ) <"uo 3keytB * 6D"^B + 6Df k ^B , 6Dg Xl  - 08" o  CPlaintext Block 1 . 0"    CPlaintext Block 2 / 0" L %!  CPlaintext Block 3 0 <"=m SSequence number must not wrap!!  H  0޽h ? 33  0 (  l  C ,P   l  C   H  0޽h ? 33  0 `@( ,t @l @ C $P   l @ C   H @ 0޽h ? 33  0 pD( Aͫ Dl D C dP   l D C <P  H D 0޽h ? 33  0 H(  Hl H C P   l H C D  H H 0޽h ? 33  0 L(  Ll L C ,,P   l L C -  H L 0޽h ? 33  0 P(  Pl P C 9P   l P C :  H P 0޽h ? 33  0 |t/``( 9 `l ` C EP   8 p`  +`@`  ` < J" p ; Plaintext  T  `  `# p `   ` fALarge confetti" @ ` <dO"0 ``  ; Plaintext    ` <S"@ `  ? Session Key  ~T P`  `#  p`  ` `ALarge confetti"P@ ` 6\W"` ; Plaintext   ` 0["P@`  ? Session Key  lB %` <DjJ  lB &` <DjJp '` <`p LEncrypt w/ Session Key  (` <d   W!Encrypt Session Key w/ Public Key"" 18    ,` @p ` <h" P  ; Plaintext  T `  `# 0 `  ` <Xm"` P  ; Plaintext   ` 0j"` P  8HashT @ p `#    ` 6t"@ pP  ; Plaintext   ` 0x"@P p 8HashlB !` <DjJ 0 lB $` <DjJ`   )` <|   C Generate Hash  *` <Pw   QEncrypt Hash W/ Private Key  -` <hM ;Encrypt .` <؇^   8SignH ` 0޽h ? 33  0 (  l  C $P   l  C T0  H  0޽h ? 33  0 \